[QA] v0.5.0-rc1 Testplan

[jnweiger]

Setup

Setup details (click to expand)

References: * https://github.com/owncloud/oauth2/wiki/OAuth-code-Flow-Sequence-Diagram

OAuth2 app Test Plan

This aims to be a client-agnostic testplan for the OAuth2 application, centered in the actions available in the webUI and/or occ commands and their impact on ownCloud's core behavior. To test the application from a client standpoint see:

• Desktop Sync client: https://github.com/owncloud/QA/pull/473
• Mobile client: https://github.com/owncloud/QA/pull/474

Testing functionality

Test Case	Expected Result	Result	Related Comment
CLI commands
Enable OAuth2 app via CLI using occ app:enable oauth2	- The apps gets enabled - Replies from the WebDAV endpoint includes a new WWW-Authenticate: Bearer... header	:heavy_check_mark:
Disable OAuth2 app via CLI using occ app:disable oauth2	- The apps gets disabled - Previously mentioned header goes away in further requests	:heavy_check_mark:
Registered Clients
Default clients	The default Registered clients are included among the "Settings > Admin > User Authentication" OAuth 2.0: Registered Clients	:heavy_check_mark:	See https://github.com/owncloud/oauth2/pull/38 for the default values
Register new Client	64-character-length client_id and client_secret are generated together with a (required) Client Name and a (required) Redirection URL	:heavy_check_mark:
Remove a Client	- Confirmation dialog is prompted before removal - All client sessions opened from those clients get removed	:heavy_check_mark:
Unregistered Clients
Authentication flow from an unregistered client	Unsuccessful Authorization Request	:heavy_check_mark:	Browser displays the "Request not valid" screen.
Authorized Applications
Login with a Registered Client	The Client Name is displayed amongst the "Personal > Security" OAuth 2.0 Authorized Applications	:heavy_check_mark:
Session Revocation (i.e. delete Authorized Application)	All the sessions opened in the clients are revoked and must be re-authorized	:heavy_check_mark:	see below https://github.com/owncloud/oauth2/issues/301#issuecomment-915343637
User Account Handling
Password change	Open sessions are revoked and new credentials must be used in further login attempts	:heavy_check_mark:
Authorization Flow
Successful Authorization Request without any session open in the browser	Login form with an additional informative note about the application requesting access to ownCloud is displayed	:heavy_check_mark:
Successful Authorization Request with a valid session in the browser	The "Authorize" screen is displayed	:heavy_check_mark:
Successful Authorization Request in a browser with a different user logged in	The "Switch User" screen is displayed, allowing to modify the current session	:heavy_check_mark:	See use of the additional user parameter in: https://github.com/owncloud/oauth2/pull/67
Failed attempt in the authorization login form	The query parameters for the Authorization Request are preserved in next attempts	:heavy_check_mark:	See original issue in: https://github.com/owncloud/core/issues/28129 See details below:https://github.com/owncloud/oauth2/issues/301#issuecomment-915357324
Relevant Smoke Tests
Unauthenticated Actions: Public File Drop	Files get uploaded normally	:heavy_check_mark:	See https://github.com/owncloud/oauth2/pull/100 See details below: https://github.com/owncloud/oauth2/issues/301#issuecomment-915363173

---

[jnweiger]

Testing Session Revocation

• reduce the token timeouts

  $ pushd /var/www/owncloud/apps/
  $ sed -i -e 's/3600/180/g' oauth2/lib/Db/AccessToken.php
  $ sed -i -e 's/600/120/g'  oauth2/lib/Db/AuthorizationCode.php

• connect client via oauth2, inspect and remove tokens

  $ mysql owncloud -e 'select * from oc_oauth2_access_tokens'
  +----+------------------------------------------------------------------+-----------+---------+------------+
  | id | token                                                            | client_id | user_id | expires    |
  +----+------------------------------------------------------------------+-----------+---------+------------+
  |  1 | ETN3uYSb8kXwzgeQbH1wApDSmnLXUhdU9OYqBPybl3u0BZxlyxKAhRDeOjJFFIsu |         1 | admin   | 1630626385 |
  | 10 | yYCJasvRh3ZmuLMEHcVfBtPqRp4p4j4cpNOtZb5gtabS0frUF6bye7wEXj1XJmrR |         1 | admin   | 1630655369 |
  | 84 | Ksjj4x8yBZiOUjU4HC1XYS6AUHofG7rjk5y24KSxiqVNUxTEUNnfjej7P8cAesda |         1 | admin   | 1631057658 |
  | 85 | E9e1bwjdP2o6MGMvhnNufOQC5XWIvZhsRxkTdc9wBQ3cXwF6eLXmjermmhgsFBqX |         1 | admin   | 1631117803 |
  +----+------------------------------------------------------------------+-----------+---------+------------+
  $ mysql owncloud -e 'delete from oc_oauth2_access_tokens'

• Wait 3 minutes, a new token appears in the database.

• change the client id so that token refresh is no longer possible:

  $ mysql owncloud -e 'update oc_oauth2_clients set id=99 where name like "Desktop%"'
  $ mysql owncloud -e 'delete from oc_oauth2_access_tokens'

• the client gets logged out, the oauth dialog restarts

• you can reauthenticate, a new token with the new id=99 is generated.

  $ mysql owncloud -e 'select * from oc_oauth2_access_tokens'
  +----+------------------------------------------------------------------+-----------+---------+------------+
  | id | token                                                            | client_id | user_id | expires    |
  +----+------------------------------------------------------------------+-----------+---------+------------+
  | 90 | ix1llPRlWrpL8HcJOLSN5BR8DVTGh6V7rDkHd5jPwBucNPiECZM3LztQV3OdUVxa |        99 | admin   | 1631119210 |
  +----+------------------------------------------------------------------+-----------+---------+------------+

[jnweiger]

Testing query params at the authorization form

• enter server url at client

• The auth form opens in a web browser. Find the redirect_uri in the params, it ends in 673 in this example:

• change the last digit (from 3 to 4), hit enter to send this url.

• use wrong user name, login fails,

• use wrong password, login fails

• use correct username and password, authorization succeeds, but the redirect back to the client fails as expected:

• This is due to the changed port number. Change the digit back to normal, hit enter -> the client connects.

[jnweiger]

Testing file drop

• login via web UI, create a public link on a folder as file drop
• start a fresh browser session, copy paste the link. An anonymous upload opens, no authentication required:
• Files can be uploaded, and appear in the user's folder.
• The file's activity tab tells the user, that the file was uploaded via public link

[jnweiger]

Regression test passed!

Changelog testing

• [x] Add support for trusted clients #298
• [x] Support setups with user login name != internal UID #286
• [x] Implement the oauth2 pkce extension #276
• [x] Return proper error description for auth-core/refresh-token errors #279
• [x] Adjust PHP dependencies for composer 2.0 #273

[jnweiger]

All QA passed. :ship: it!

[jnweiger]

old release was done